I am working on a buildout where I am doing the following. Eventually I will need to make this scalable so I am not doing this manually each time.
I have several clients dumping data into S3 buckets. Each client needs R/W access to just that bucket. For that, I can use this policy
{"Version": "2012-10-17","Statement": [ {"Sid": "BucketOperations","Effect": "Allow","Action": "s3:ListBucket*","Resource": "arn:aws:s3:::<bucketname>" }, {"Sid": "ObjectOperations","Effect": "Allow","Action": ["s3:AbortMultipartUpload","s3:DeleteObject*","s3:GetObject*","s3:PutObject*" ],"Resource": "arn:aws:s3:::<bucketname>/*" }, {"Sid": "DenyAllOthers","Effect": "Deny","Action": "s3:*","NotResource": ["arn:aws:s3:::<bucketname>","arn:aws:s3:::<bucketname>/*" ] } ] }On my end, I have several analysts that are using Athena to query the data via Tableau and other tools. I have a Glue job to index the source bucket, and each client dataset will need a Athena results bucket so I can maintain appropriate access.
My problem is that I don't know how to write the S3 policy so that I can have one-per-bucket, and then attach them to the IAM users. When I use the above policy to create
- bucket1-policy
- bucket2-policy
And then add them to an IAM user, eg
- bucket1-policy
- bucket2-policy
- my-athena-policy
- ...
it looks like DenyAllOthers parts are causing the user to not have S3 access.
Is there a better way to write the S3 access policy, so I can have one per bucket, or do I need to have a separate policy for my Athena users to grant access to the two buckets and then deny the rest?
